To work around this issue without patching and recompiling the policy:
cd /etc/selinux/ ; mkdir -p fixes ; cd fixes/
Create ssh_cat_fix.te
module ssh_cat_fix 1.0;
require {
type sshd_t;
}
typeattribute sshd_t mcssetcats;
checkmodule -m -M -o ssh_cat_fix.mod ssh_cat_fix.te
semodule_package -m ssh_cat_fix.mod -o ssh_cat_fix.pp
rm ssh_cat_fix.mod
semodule -i ssh_cat_fix.pp
On Tue, Oct 09, 2012 at 04:12:52PM -0400, Paul Donohue wrote:
> Package: selinux-policy-default
> Version: 2:2.20110726-3
> Severity: important
>
> When protecting sshd with this policy, the transition that occurs when running
> the user's shell is always denied, which prevents users from logging in:
> type=AVC msg=audit(1349808486.496:121): avc: denied { transition } for
> pid=3120 comm="sshd" path="/bin/bash" dev=dm-0 ino=554
> scontext=system_u:system_r:sshd_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>
> The reason is that the daemon has no MCS categories assigned to it, so the mcs
> policy constraints prevent the addition of categories.
>
> As best as I can tell, sshd is not supposed to have any categories, and the
> user
> is supposed to have categories, so this behavior should be allowed. (Did I
> miss
> something here?)
>
> Assuming this behavior should be allowed, editing
> policy/modules/system/authlogin.if and adding mcs_process_set_categories($1)
> in the auth_login_pgm_domain interface fixes this problem.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
